120 lines
62 KiB
HTML
120 lines
62 KiB
HTML
|
<!DOCTYPE html><html lang="en-US"><head><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><link rel="shortcut icon" href="/assets/images/favicon.png" type="image/x-icon"><link rel="stylesheet" href="/assets/css/just-the-docs-default.css"> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-4622520-7"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-4622520-7', { 'anonymize_ip': true }); </script> <script type="text/javascript" src="/assets/js/vendor/lunr.min.js"></script> <script src="https://cdn.jsdelivr.net/npm/mermaid@10.8.0/dist/mermaid.min.js"></script> <script type="text/javascript" src="/assets/js/just-the-docs.js"></script><meta name="viewport" content="width=device-width, initial-scale=1"><title>Java Deserialization | Metasploit Documentation Penetration Testing Software, Pen Testing Security</title><meta name="generator" content="Jekyll v4.3.4" /><meta property="og:title" content="Java Deserialization" /><meta property="og:locale" content="en_US" /><meta name="description" content="View Metasploit Framework Documentation" /><meta property="og:description" content="View Metasploit Framework Documentation" /><link rel="canonical" href="https://rapid7.github.io/metasploit-framework/docs/development/developing-modules/libraries/deserialization/generating-ysoserial-java-serialized-objects.html" /><meta property="og:url" content="https://rapid7.github.io/metasploit-framework/docs/development/developing-modules/libraries/deserialization/generating-ysoserial-java-serialized-objects.html" /><meta property="og:site_name" content="Metasploit Documentation Penetration Testing Software, Pen Testing Security" /><meta property="og:type" content="website" /><meta name="twitter:card" content="summary" /><meta property="twitter:title" content="Java Deserialization" /> <script type="application/ld+json"> {"@context":"https://schema.org","@type":"WebPage","description":"View Metasploit Framework Documentation","headline":"Java Deserialization","publisher":{"@type":"Organization","logo":{"@type":"ImageObject","url":"https://rapid7.github.io/metasploit-framework/assets/images/favicon.png"}},"url":"https://rapid7.github.io/metasploit-framework/docs/development/developing-modules/libraries/deserialization/generating-ysoserial-java-serialized-objects.html"}</script><body> <svg xmlns="http://www.w3.org/2000/svg" style="display: none;"> <symbol id="svg-link" viewBox="0 0 24 24"><title>Link</title><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71"></path><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71"></path> </svg> </symbol> <symbol id="svg-search" viewBox="0 0 24 24"><title>Search</title><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-search"> <circle cx="11" cy="11" r="8"></circle><line x1="21" y1="21" x2="16.65" y2="16.65"></line> </svg> </symbol> <symbol id="svg-menu" viewBox="0 0 24 24"><title>Menu</title><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-menu"><line x1="3" y1="12" x2="21" y2="12"></line><line x1="3" y1="6" x2="21" y2="6"></line><line x1="3" y1="18" x2="21" y2="18"></line> </svg> </symbol> <symbol id="svg-arrow-right" viewBox="0 0 24 24"><title>Expand</title><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-chevron-right"><polyline points="9 18 15 12 9 6"></polyline> </svg> </s
|
|||
|
|
10 include Msf::Exploit::Powershell
|
|||
|
|
11 include Msf::Exploit::JavaDeserialization
|
|||
|
|
12
|
|||
|
|
13 def initialize(info = {})
|
|||
|
|
...
|
|||
|
|
78 def exploit
|
|||
|
|
79 java_payload = generate_java_deserialization_for_payload('CommonsCollections2', payload)
|
|||
|
|
80 ciphertext = aes_encrypt(java_payload)
|
|||
|
|
</code></pre></div></div><p>Once the serialized object is generated and stored as <code class="language-plaintext highlighter-rouge">java_payload</code>, it’s then sent to the target in an exploit-specific manner.</p><h2 id="methods"> <a href="#methods" class="anchor-heading" aria-labelledby="methods"><svg viewBox="0 0 16 16" aria-hidden="true"><use xlink:href="#svg-link"></use></svg></a> Methods</h2><h3 id="generate_java_deserialization_for_payloadname-payload"> <a href="#generate_java_deserialization_for_payloadname-payload" class="anchor-heading" aria-labelledby="generate_java_deserialization_for_payloadname-payload"><svg viewBox="0 0 16 16" aria-hidden="true"><use xlink:href="#svg-link"></use></svg></a> <code class="language-plaintext highlighter-rouge">#generate_java_deserialization_for_payload(name, payload)</code></h3><p>This method will generate a serialized Java object that when loaded will execute the specified Metasploit payload. The payload will be converted to an operating system command using one of the supported techniques contained within this method and then passed to <a href="#generate_java_deserialization_for_commandname-shell-command"><code class="language-plaintext highlighter-rouge">#generate_java_deserialization_for_command</code></a>.</p><ul><li><p><strong>name</strong> - The payload name parameter must be one of the supported payloads stored in the <code class="language-plaintext highlighter-rouge">ysoserial</code> cache. As of this writing, the list includes: <code class="language-plaintext highlighter-rouge">BeanShelll1</code>, <code class="language-plaintext highlighter-rouge">Clogure</code>, <code class="language-plaintext highlighter-rouge">CommonsBeanutils1</code>, <code class="language-plaintext highlighter-rouge">CommonsCollections2</code>, <code class="language-plaintext highlighter-rouge">CommonsCollections3</code>, <code class="language-plaintext highlighter-rouge">CommonsCollections4</code>, <code class="language-plaintext highlighter-rouge">CommonsCollections5</code>, <code class="language-plaintext highlighter-rouge">CommonsCollections6</code>, <code class="language-plaintext highlighter-rouge">Groovy1</code>, <code class="language-plaintext highlighter-rouge">Hibernate1</code>, <code class="language-plaintext highlighter-rouge">JBossInterceptors1</code>, <code class="language-plaintext highlighter-rouge">JRMPClient</code>, <code class="language-plaintext highlighter-rouge">JSON1</code>, <code class="language-plaintext highlighter-rouge">JavassistWeld1</code>, <code class="language-plaintext highlighter-rouge">Jdk7u21</code>, <code class="language-plaintext highlighter-rouge">MozillaRhino1</code>, <code class="language-plaintext highlighter-rouge">Myfaces1</code>, <code class="language-plaintext highlighter-rouge">ROME</code>, <code class="language-plaintext highlighter-rouge">Spring1</code>, <code class="language-plaintext highlighter-rouge">Spring2</code>, and <code class="language-plaintext highlighter-rouge">Vaadin1</code>. While <code class="language-plaintext highlighter-rouge">ysoserial</code> includes additional payloads that are not listed above, they are unsupported by the library due to the need for complex inputs. Should there be use cases for additional payloads, please consider opening an issue and submitting a pull request to add support.</p><li><p><strong>payload</strong> - The payload object to execute on the remote system. This is the native Metasploit payload object and it will be automatically converted to an operating system command using a technique suitable for the target platform and architecture. For example, x86 Windows payloads will be converted using a Powershell command. Not all platforms and architecture combinations are supported. Unsupported combinations will result in a <code class="language-plaintext highlighter-rouge">RuntimeError</code> being raised which will need to be handled by the module developer.</p></ul><h3 id="generate_java_deserialization_for_commandname-shell-command"> <a href="#generate_java_deserialization_for_commandname-shell-com
|
|||
|
|
$ ./runme.sh
|
|||
|
|
Sending build context to Docker daemon 101.8MB
|
|||
|
|
Step 1/8 : FROM ubuntu
|
|||
|
|
---> cd6d8154f1e1
|
|||
|
|
Step 2/8 : RUN apt update && apt -y upgrade
|
|||
|
|
---> Using cache
|
|||
|
|
---> ba7e5691ed5a
|
|||
|
|
Step 3/8 : RUN apt install -y wget openjdk-8-jre-headless ruby-dev make gcc
|
|||
|
|
---> Using cache
|
|||
|
|
---> d38488663627
|
|||
|
|
Step 4/8 : RUN wget -q https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar -O ysoserial-original.jar
|
|||
|
|
---> Using cache
|
|||
|
|
---> 284ff722464b
|
|||
|
|
Step 5/8 : RUN wget -q https://github.com/pimps/ysoserial-modified/raw/master/target/ysoserial-modified.jar
|
|||
|
|
---> Using cache
|
|||
|
|
---> 334c1ccb6fab
|
|||
|
|
Step 6/8 : RUN gem install --silent diff-lcs json pry
|
|||
|
|
---> Using cache
|
|||
|
|
---> 9d452be9d01f
|
|||
|
|
Step 7/8 : COPY find_ysoserial_offsets.rb /
|
|||
|
|
---> 61b6f339590c
|
|||
|
|
Step 8/8 : CMD ruby /find_ysoserial_offsets.rb
|
|||
|
|
---> Running in ba7b14646e56
|
|||
|
|
Removing intermediate container ba7b14646e56
|
|||
|
|
---> f4ca5ecb6848
|
|||
|
|
Successfully built f4ca5ecb6848
|
|||
|
|
Successfully tagged ysoserial-payloads:latest
|
|||
|
|
Generating payloads for BeanShell1...
|
|||
|
|
Generating payloads for C3P0...
|
|||
|
|
Error while generating or serializing payload
|
|||
|
|
java.lang.IllegalArgumentException: Command format is: <base_url>:<classname>
|
|||
|
|
at ysoserial.payloads.C3P0.getObject(C3P0.java:48)
|
|||
|
|
at ysoserial.GeneratePayload.main(GeneratePayload.java:34)
|
|||
|
|
ERROR: Errored while generating 'C3P0' and it will not be supported
|
|||
|
|
Generating payloads for Clojure...
|
|||
|
|
Generating payloads for CommonsBeanutils1...
|
|||
|
|
Generating payloads for CommonsCollections1...
|
|||
|
|
Generating payloads for CommonsCollections2...
|
|||
|
|
Generating payloads for CommonsCollections3...
|
|||
|
|
Generating payloads for CommonsCollections4...
|
|||
|
|
Generating payloads for CommonsCollections5...
|
|||
|
|
Generating payloads for CommonsCollections6...
|
|||
|
|
Generating payloads for FileUpload1...
|
|||
|
|
Error while generating or serializing payload
|
|||
|
|
java.lang.IllegalArgumentException: Unsupported command []
|
|||
|
|
at ysoserial.payloads.FileUpload1.getObject(FileUpload1.java:71)
|
|||
|
|
at ysoserial.payloads.FileUpload1.getObject(FileUpload1.java:40)
|
|||
|
|
at ysoserial.GeneratePayload.main(GeneratePayload.java:34)
|
|||
|
|
ERROR: Errored while generating 'FileUpload1' and it will not be supported
|
|||
|
|
Generating payloads for Groovy1...
|
|||
|
|
Generating payloads for Hibernate1...
|
|||
|
|
Generating payloads for Hibernate2...
|
|||
|
|
Error while generating or serializing payload
|
|||
|
|
java.sql.SQLException: DataSource name cannot be empty string
|
|||
|
|
at javax.sql.rowset.BaseRowSet.setDataSourceName(BaseRowSet.java:855)
|
|||
|
|
at com.sun.rowset.JdbcRowSetImpl.setDataSourceName(JdbcRowSetImpl.java:4307)
|
|||
|
|
at ysoserial.payloads.Hibernate2.getObject(Hibernate2.java:58)
|
|||
|
|
at ysoserial.GeneratePayload.main(GeneratePayload.java:34)
|
|||
|
|
ERROR: Errored while generating 'Hibernate2' and it will not be supported
|
|||
|
|
Generating payloads for JBossInterceptors1...
|
|||
|
|
Generating payloads for JRMPClient...
|
|||
|
|
Generating payloads for JRMPListener...
|
|||
|
|
Error while generating or serializing payload
|
|||
|
|
java.lang.NumberFormatException: For input string: ""
|
|||
|
|
at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)
|
|||
|
|
at java.lang.Integer.parseInt(Integer.java:592)
|
|||
|
|
at java.lang.Integer.parseInt(Integer.java:615)
|
|||
|
|
at ysoserial.payloads.JRMPListener.getObject(JRMPListener.java:42)
|
|||
|
|
at ysoserial.payloads.JRMPListener.getObject(JRMPListener.java:34)
|
|||
|
|
at ysoserial.GeneratePayload.main(GeneratePayload.java:34)
|
|||
|
|
ERROR: Errored while generating 'JRMPListener' and it will not be supported
|
|||
|
|
Generating payloads for JSON1...
|
|||
|
|
Generating payloads for JavassistWeld1...
|
|||
|
|
Generating payloads for Jdk7u21...
|
|||
|
|
Generating payloads for Jython1...
|
|||
|
|
Error while generating or serializing payload
|
|||
|
|
java.lang.IllegalArgumentException: Unsupported command []
|
|||
|
|
at ysoserial.payloads.Jython1.getObject(Jython1.java:52)
|
|||
|
|
at ysoserial.payloads.Jython1.getObject(Jython1.java:42)
|
|||
|
|
at ysoserial.GeneratePayload.main(GeneratePayload.java:34)
|
|||
|
|
ERROR: Errored while generating 'Jython1' and it will not be supported
|
|||
|
|
Generating payloads for MozillaRhino1...
|
|||
|
|
Generating payloads for Myfaces1...
|
|||
|
|
Generating payloads for Myfaces2...
|
|||
|
|
Error while generating or serializing payload
|
|||
|
|
java.lang.IllegalArgumentException: Command format is: <base_url>:<classname>
|
|||
|
|
at ysoserial.payloads.Myfaces2.getObject(Myfaces2.java:47)
|
|||
|
|
at ysoserial.GeneratePayload.main(GeneratePayload.java:34)
|
|||
|
|
ERROR: Errored while generating 'Myfaces2' and it will not be supported
|
|||
|
|
Generating payloads for ROME...
|
|||
|
|
Generating payloads for Spring1...
|
|||
|
|
Generating payloads for Spring2...
|
|||
|
|
Generating payloads for URLDNS...
|
|||
|
|
Error while generating or serializing payload
|
|||
|
|
java.net.MalformedURLException: no protocol:
|
|||
|
|
at java.net.URL.<init>(URL.java:593)
|
|||
|
|
at ysoserial.payloads.URLDNS.getObject(URLDNS.java:56)
|
|||
|
|
at ysoserial.GeneratePayload.main(GeneratePayload.java:34)
|
|||
|
|
ERROR: Errored while generating 'URLDNS' and it will not be supported
|
|||
|
|
Generating payloads for Vaadin1...
|
|||
|
|
Generating payloads for Wicket1...
|
|||
|
|
Error while generating or serializing payload
|
|||
|
|
java.lang.IllegalArgumentException: Bad command format.
|
|||
|
|
at ysoserial.payloads.Wicket1.getObject(Wicket1.java:59)
|
|||
|
|
at ysoserial.payloads.Wicket1.getObject(Wicket1.java:49)
|
|||
|
|
at ysoserial.GeneratePayload.main(GeneratePayload.java:34)
|
|||
|
|
ERROR: Errored while generating 'Wicket1' and it will not be supported
|
|||
|
|
DONE! Successfully generated 0 static payloads and 22 dynamic payloads. Skipped 8 unsupported payloads.
|
|||
|
|
</code></pre></div></div><p>At completion, the <code class="language-plaintext highlighter-rouge">data/ysoserial_payloads.json</code> file is overwritten and the 22 dynamic payloads are ready for use within the framework. Afterward, the developer should follow the standard <code class="language-plaintext highlighter-rouge">git</code> procedures to <code class="language-plaintext highlighter-rouge">add</code> and <code class="language-plaintext highlighter-rouge">commit</code> the new JSON file before generating a pull request and landing the updated JSON into the framework’s <code class="language-plaintext highlighter-rouge">master</code> branch.</p><hr><footer><p><a href="#top" id="back-to-top">Back to top</a></p><p class="text-small text-grey-dk-000 mb-0"> <a href="https://github.com/rapid7/metasploit-framework/tree/master/docs/metasploit-framework.wiki/Generating-ysoserial-Java-serialized-objects.md" id="edit-this-page">Edit this page on GitHub</a></p></footer></div></div><div class="search-overlay"></div></div><script type="text/javascript" src="/assets/js/toggle_mode.js"></script> <script> var config = { theme: 'default', logLevel: 'fatal', securityLevel: 'strict', startOnLoad: true, arrowMarkerAbsolute: false, er: { diagramPadding: 20, layoutDirection: 'TB', minEntityWidth: 100, minEntityHeight: 75, entityPadding: 15, stroke: 'gray', fill: 'honeydew', fontSize: 12, useMaxWidth: true, }, flowchart:{ diagramPadding: 8, htmlLabels: true, curve: 'basis', }, sequence: { diagramMarginX: 50, diagramMarginY: 10, actorMargin: 50, width: 150, height: 65, boxMargin: 10, boxTextMargin: 5, noteMargin: 10, messageMargin: 35, messageAlign: 'center', mirrorActors: true, bottomMarginAdj: 1, useMaxWidth: true, rightAngles: false, showSequenceNumbers: false, }, gantt: { titleTopMargin: 25, barHeight: 20, barGap: 4, topPadding: 50, leftPadding: 75, fontSize: 11, gridLineStartPadding: 35, fontFamily: '\'Open Sans\', sans-serif', numberSectionStyles: 4, axisFormat: '%Y-%m-%d', topAxis: false, }, }; mermaid.initialize(config); window.mermaid.init(undefined, document.querySelectorAll('.language-mermaid')); </script>
|